Beware of Evernote: Your location is owned by us (and you don’t know it)!

Beware of Evernote: Your location is owned by us (and you don’t know it)!

Written by: Mark Wireman, February 26, 2020

So we all know that mobile devices have GPS services built-in which allows us to use software to view maps (e.g., Google Maps, Apple Maps), get directions (e.g. Waze, Google Maps), and mark or use a location of where we currently are (e.g. Snapchat, Chrome, Facebook). We also know that over the years we have been provided with increased flexibility and control over what applications can access and use our current location as a measure to try and keep as much of our private information just that – private.

However, as we have
experienced from time to time, there are applications that become wildly
popular only to find out that the application is putting our privacy above the
popularity hoping to sneak by unnoticed while storing private data without our
knowledge, concept, or ability to stop the application from doing so.

Well, I have recently stumbled on an application that is secretly collecting your geolocation details and saving it without your knowledge and without the ability to adjust the setting. The application is Evernote, which is an app for note-taking, organizing, task management, and archiving that is SaaS-based allowing the data to be synchronized across multiple devices – from the web to mobile to desktop.

Background

I started using Evernote when it first debuted offering those that sign up a free account. I was drawn to the product with its slick user interface and ease of synchronizing notes across multiple devices, making it easy for me to capture a thought or write on any device that was within reach and then easily access on another device to action on the thought or writing appropriately. While I have worked with OneNote in the past, at the time OneNote simply is not as slick and did not offer support on as many platforms like Evernote.

Now that OneNote has
made significant strides in expanding the technology platforms it supports
along with significant improvements in synchronization, I decided to return to
OneNote. However, there is one catch: I need to transfer my Evernote content to
my OneNote account. This, as I have learned, is not an easy task. Therefore, I
put my application developer hat on and started the process of reverse
engineering Evernote to determine if I can write an application that will take
the Evernote content and transfer it for me to OneNote.

Reverse Engineering Evernote

I have Evernote installed on my iPhone, iPad, Macbook, and Windows laptop. For the reverse engineering task, I used the install on Windows to begin investigating where Evernote is installed and how and where the Evernote data is stored. The Evernote application is installed in C:Program Files (x86)Evernote (this can be found by either using the File Explorer and looking through the Program Files (x86) directory or running a search in the Registry Editor), however, this location is not used to store the content that Evernote uses that is associated to the user. After a bit more detective work, I found where Evernote is storing the content – it is in the logged-in User’s directory in the Evernote subdirectory in another subdirectory Databases, e.g. C:Users{username}EvernoteDatabases{EvernoteUser}.exd. Eureka – we now have the data! Next step – try and found how to get to the data.

After changing the extension of the database from .exd to .zip and then attempting to unzip it, the WinZip error message indicating the file is not in the zip format told me that the database is not a Zip file in disguise. Then a thought hit me – if I were developing the application, knowing I had to target multiple platforms where I have to be concerned with synchronization, storing updates locally, etc., my architectural design will include a light-weight embedded database that is available as open source. Therefore, my own approach – and hunch – led me to SQLite. Hence, I took a copy of the .exd file and renamed it to a .sqlite3 (not a necessary step, just wanted to keep the two files separate and easily identified). After opening up the database using the command line and then running .schema in the SQLite command-line tool, voila!, we now have direct access to the Evernote database that is used to store all of my Evernote content (see Figure 1)!

Beware of Evernote: Your location is owned by us (and you don’t know it)!

Figure 1: List of tables in the Evernote database (output from the .tables command via the sqlite command-line tool).

Your Location Belong to Us!

Now that I have a list of the tables, I can get a look at the database structure by running .schema to understand how each table is created and the indexes that have been set up for relationships, primary keys, etc. See Figure 2.

CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
TABLE 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
resource 
notebook 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
attr 
height_idx on resource_attr (height) ; 
duration_idx on resource attr (duration); 
source_url_idx on resource attr (source_url) 
date_created_idx on resource attr (date_created); 
date_updated_idx on resource attr (date_updated); 
timestamp_idx on resource attr (timestamp); 
latitude idx on resource attr (latitude) 
longitude idx on resource attr (longitude); 
altitude idx on resource attr (altitude) 
camera_make idx on resource attr (camera_make) 
camera_model idx on resource attr (camera_model) 
reco_type_idx on resource attr (reco_type), 
file_name_idx on resource attr (file_name) 
_ partial_sync_idx on resource attr (partial_sync); 
is_attachment_idx on resource attr (is_attachment) 
has_search_text_idx on resource attr (has_search_text); 
size_idx on resource attr (size); 
hash_idx on resource attr (hash); 
is_deleted_idx on resource attr (is_deleted) 
(uid INTEGER PRIMARY KEY, name TEXT DEFAULT NULL COLLATE NOCASEUTF8, stack TEXT DEFAULT NULL 
COLLATE NOCASEUTF8, restrictions INTEGER DEFAULT NULL, INTEGER DEFAULT NULL, Flags INTEGER 
DEFAULT NULL, date_created REAL DEFAULT NULL, date_updated REAL DEFAULT NULL, date last_chosen REAL DEFAULT NULL, item 
olor INTEGER DEFAULT NULL, item_style INTEGER DEFAULT NULL, note_count INTEGER DEFAULT NULL, is_local INTEGER DEFAULT NU 
LL, is linked INTEGER DEFAULT NULL, is offline INTEGER DEFAULT NULL, is accessible INTEGER DEFAULT NULL, business id INT 
EGER DEFAULT NULL, TEXT DEFAULT NULL, TEXT DEFAULT NULL COLLATE NOCASEUTF8, 
TEXT DEFAULT NULL COLLATE NOCASEUTF8, INTEGER DEFAULT NULL, workspace 
EXT DEFAULT NULL COLLATE NOCASEUTF8, workspace_uid INTEGER DEFAULT NULL, INTEGER DEFAULT NULL, in 
orkspace INTEGER DEFAULT NULL); 
CREATE 
CREATE 
CREATE 
CREATE 
CREATE 
INDEX 
INDEX 
INDEX 
INDEX 
INDEX 
notebook 
notebook 
notebook 
notebook 
notebook 
attr 
attr 
attr 
attr 
attr 
name_idx on notebook attr (name) • 
stack_idx on notebook attr (stack); 
restrictions_idx on notebook attr (restrictions); 
can_move_to container_status_idx on notebook attr (can_move_to container_status); 
_flags_idx on notebook attr (flags);

Figure 2: Schema details of the Evernote database file (output from the .schema command via the sqlite command-line tool).

What caught my attention was the create command for the table notebook_attr has fields for latitude, longitude, altitude, geolocation information, and source. This piqued my curiosity and also elevated my concern so I ran a select statement on the table to find out that by golly Evernote is capturing, saving, and sharing my location information for a note I created using a mobile device (see Figure 3)!

title 
author 
creator i last 
edit 
last 
edit 
notebook notebook tags 
date_crea date_updidate 
del 
date_subj date 
shar source 
mobile.iphone 
mobile.iphone 
source 
source a 
latitude longitude altitude geo_address 
geo_coun geo_adm 
298 Chapter 3 and 4 notes 
299 Chapter2wiremanm@gmail.com 
3041Work in Plwiremanm 
316 Chapter Iwiremanm 
3281 DevSecOps Notes and Ideas 
330 Agile prinJwiremanm@gmail.com 
332A spiral Model 
334 An Agile Implementation of SCRUM 
337 Agile Security Assurance.pdf 
Effective 
Effective 
Effective 
Effective 
Devseco 
Effective 
Devseco 
Devseco 
Devseco 
284 
800k 
736044.1 
735974.1 
735630.1 
735619.5 
735807.1 
735953.1 
735952.7 
735952.7 
735807.1 
736051.1 
735982.1 
735975.9 
736810.8 
735959.7 
735953.1 
735952.9 
735952.7 
735945.8 
35.0902 -80.6006 196.976 2001 sedgewick Rd, Indi uniteds North ca 
http://agilemanifesto.org/principles.html 
com.goog 35.08997 -80.6004 193.3507

Figure 3: Output of the notebook_attr table showing the location information that is captured and saved by the Evernote application (output from running .excel and then running select * from notebook_attr via the sqlite command-line tool). You can use a conversion site to get the address from the latitude and longitude information.

As I am often as guilty as many who install applications on a mobile device, I figured I may have simply allowed Evernote to capture and save my location information by clicking through the acceptance and approval buttons during the installation. So I decided to check the Privacy Settings -> Location Services to set Evernote to not allow the application to use my current location. To my surprise and now growing concern and frustration, I did not see Evernote in the list of applications that are using Location Services (see Figure 4). This means Evernote is using Location Services secretly and there is no way a user can stop Evernote from doing this! Therefore, your location data belongs to Evernote and you have no idea how it is being used, what it is being used for, and you do not have the ability to tell Evernote to stop doing it!

< Privacy 
10 
Location Services 
8 
UBH 
Hilton 
British Airways 
Calendar 
Camera 
Chrome 
Cigar Scanner 
Eventbrite 
Expedia 
Favor 
Flight Tracker 
Fly Delta 
FordPass 
GolfLogix 
Golfnow 
Google Home 
Google Maps 
Great Clips 
Grubhub 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using 
While Using

Figure 4: Evernote
is missing – it should be included between Eventbrite and Expedia.

Closing Thoughts and Next Steps

The discovery that a promising application like Evernote, which charges for the Premium service, collects privacy data without the user’s knowledge and ability to stop the collection is very disappointing. I really enjoyed using Evernote finding it easy to use and access from multiple locations and devices. This type of information, while may seem benign to some, can be quite a treasure trove for those that want to learn about an individual’s movements, habits, and frequently visited locations and duration at those locations. This is especially concerning for those individuals that may use Evernote while frequently visiting areas that may be controversial or dangerous, especially journalists, investigators, military, and other personnel. And given that the data is not protected (as shown in Figure 3 – it is all in plaintext) through encryption and we don’t know how Evernote uses the data, once it is in the hand of a not-so-friendly individual it can be harvested with ease.

For all of you that
use Evernote, I highly recommend the following actions:

  • If you are using Evernote on any mobile device, my suggestion is to stop using Evernote immediately!;
  • Send emails to Evernote demanding they change the application to properly notify users of the location data mining and to allow users the ability to not collect the data;
  • Send emails to Apple and Google stores telling them to remove the Evernote application until Evernote makes the necessary changes.

For myself, I have already removed the app from my mobile devices and will end my Premium service until and when Evernote can personally assure me and prove to me they have taken necessary steps to stop collecting location information without my consent and control. In addition, I will be providing to the open source community an application that easily and automatically allows users to port their data from Evernote to either OneNote or an HTML or PDF file format. Stay tuned on updates on the application!


Disclaimer: I did make an attempt to notify Evernote of the discovery. However, when navigating to the requested Security Overview page in the About section of Evernote, the following is a screen capture of the content displayed:

The web page is void of any content, contact information, or instructions on how to properly submit security issues.